Multiple vendor socket entropy DNS spoofing (DNS_Cache_Poison_Subdomain_Attack)

About this signature or vulnerability

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor:

This signature detects a DNS cache poisoning attack characterized by lots of small attacks against subdomains in order to poison a common domain by using Additional Resource Records. After this signature detects an attack, all future packets associated with the attack will be dropped (this only applies to sensors operating in inline mode). The automatic drop response can be disabled by setting the tuning parameter 'pam.dns_cache_poison.drop' to 'false'.


False positives

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor: A false positive is highly unlikely, but if false positives are known to occur, raise the value of the tuning parameter pam.dns_cache_poison.subdomain.answer.limit or pam.dns_cache_poison.repeated.domain.limit.

False negatives

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor: A false negative is possible if the attacker guesses the correct DNS transaction ID of a specific question with very few attempts.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Desktop: 2270, Proventia-G 1.1 and earlier: XPU 28.130, Proventia Network MFS: XPU 28.130, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2270, Proventia Network IPS: XPU 28.130, Proventia Server IPS for Linux technology: 28.130, BlackICE PC Protection: 3.6crg, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2270, BlackICE Server Protection: 3.6.crg, RealSecure Network: XPU 28.130, RealSecure Server Sensor: XPU 28.130

Systems affected

Novell NetWare, Sun Solaris: 8 x86, Cisco IOS: 12.1T, Cisco IOS: 12.0T, Cisco IOS: 12.1, Cisco IOS: 12.2T, Cisco IOS: 12.2, Gentoo Linux, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, Cisco IOS: 12.1EA, Cisco IOS: 12.1EX, Cisco IOS: 12.0WC, Cisco IOS: 12.1AY, Cisco IOS: 12.2B, Cisco IOS: 12.2BC, Cisco IOS: 12.2BW, Cisco IOS: 12.2ZJ, Cisco IOS: 12.2ZL, HP HP-UX: B.11.11, Microsoft Windows 2000: SP4, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, Cisco IOS: 12.0XR, Microsoft Windows 2003 Server: x64, Sun Solaris: 8 SPARC, Sun Solaris: 9 x86, Cisco IOS: 12.3B, Cisco IOS: 12.3T, RedHat Enterprise Linux: 3 Desktop, HP HP-UX: B.11.23, SuSE SuSE SLES: 9, Microsoft Windows XP: SP2, Cisco IOS: 12.2YU, Cisco IOS: 12.2ZD, Cisco IOS: 12.2ZE, Cisco IOS: 12.2ZF, Cisco IOS: 12.2ZG, Cisco IOS: 12.2ZH, Cisco IOS: 12.3BW, Cisco IOS: 12.3XA, Cisco IOS: 12.3XB, Cisco IOS: 12.3XC, Cisco IOS: 12.3XE, Turbolinux Turbolinux: 10 Server, MandrakeSoft Mandrake Linux Corporate Server: 3.0, Cisco IOS: 12.2CZ, Cisco IOS: 12.2YT, Cisco IOS: 12.3XD, Cisco IOS: 12.3XF, Cisco IOS: 12.3XG, Cisco IOS: 12.3XH, Cisco IOS: 12.3XI, Cisco IOS: 12.3XJ, Cisco IOS: 12.3XK, Cisco IOS: 12.3XQ, Cisco IOS: 12.3XR, Cisco IOS: 12.3XS, Cisco IOS: 12.3XW, Cisco IOS: 12.3YA, Cisco IOS: 12.3YD, Cisco IOS: 12.3YF, Cisco IOS: 12.3YG, Cisco IOS: 12.3YH, Cisco IOS: 12.1DB, Cisco IOS: 12.1DC, Cisco IOS: 12.2XB, Cisco IOS: 12.2XC, Cisco IOS: 12.2XG, Cisco IOS: 12.2XK, Cisco IOS: 12.2XL, Cisco IOS: 12.2BY, Cisco IOS: 12.0XE, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, Cisco IOS: 12.2YJ, Cisco IOS: 12.2YL, Cisco IOS: 12.2YM, Cisco IOS: 12.2YN, Cisco IOS: 12.2ZB, Cisco IOS: 12.3YI, Cisco IOS: 12.3YK, Cisco IOS: 12.2YO, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1 Itanium, Cisco IOS: 12.3YS, Cisco IOS: 12.3, MandrakeSoft Mandrake Multi Network Firewall: 2.0, BlueCoat Director, Cisco IOS: 12.1YE, Cisco IOS: 12.2XU, Cisco IOS: 12.3YT, Cisco IOS: 12.3YU, Cisco IOS: 12.4MR, Cisco IOS: 12.4T, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, Cisco IOS: 12.2YV, Cisco IOS: 12.2TPC, Cisco IOS: 12.3TPC, Cisco IOS: 12.4XA, Cisco IOS: 12.4XB, RedHat Linux Advanced Workstation: 2.1 Itanium, Cisco IOS: 12.0XK, Cisco IOS: 12.3YM, Cisco IOS: 12.3YX, Canonical Ubuntu: 6.06 LTS, Citrix Access Gateway: 4.2, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Citrix Access Gateway: 4.5 Advanced, Cisco IOS: 12.3YZ, Cisco IOS: 12.4SW, Cisco IOS: 12.4XC, Cisco IOS: 12.4XD, Cisco IOS: 12.4XE, Cisco IOS: 12.4XJ, Cisco IOS: 12.4XT, Cisco IOS: 12.0DB, Cisco IOS: 12.0DC, Cisco IOS: 12.1XC, Novell Linux POS: 9, Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, Turbolinux Turbolinux Appliance Server: 1.0 Hosting Ed, Turbolinux Turbolinux Appliance Server: 1.0 Workgroup Ed, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows XP: SP2 Professional x64, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, MandrakeSoft Mandrake Linux: 2007.1, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, Canonical Ubuntu: 7.04, Cisco IOS: 12.4, Cisco IOS: 12.2XT, HP HP-UX: B.11.31, Citrix Access Gateway: 4.5 Standard, Apple iPhone: 1.0, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, Novell SLE SDK: 10 SP1, Astaro Astaro Security Gateway: 7.0, Cisco IOS: 12.4XV, Cisco IOS: 12.4XW, HP Storage Management Appliance: 2.1, RedHat Enterprise Linux: 5 Client, Canonical Ubuntu: 7.10, MandrakeSoft Mandrake Linux: 2008.0, MandrakeSoft Mandrake Linux: 2008.1 X86_64, MandrakeSoft Mandrake Linux: 2007.1 X86_64, Apple Mac OS X: 10.5, Apple Mac OS X Server: 10.5, Apple Mac OS X: 10.4.11, Apple Mac OS X: 10.5.1, Turbolinux Turbolinux: 11 Server x64 Ed, Turbolinux Turbolinux: 11 Server, Apple Mac OS X Server: 10.4.11, Apple Mac OS X Server: 10.5.1, Apple iPhone: 1.1.2, Apple iPhone: 1.1.3, Apple Mac OS X: 10.5.2, Apple Mac OS X Server: 10.5.2, Cisco IOS: 12.3VA, Citrix NetScaler, F5 3 DNS, F5 BIG-IP, ISC BIND: 4, ISC BIND: 8, Novell Open Enterprise Server, Apple iPhone: 1.0.1, Apple iPhone: 1.1.1, Apple iPod touch: 1.1, Apple iPod touch: 1.1.1, Apple iPod touch: 1.1.2, BlueCoat ProxySG, SecureComputing Sidewinder, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, MandrakeSoft Mandrake Linux: 2008.1, F5 FirePass: 6.0.2, F5 FirePass: 6.0.1, F5 FirePass: 5.5.2, F5 FirePass: 6.0, Canonical Ubuntu: 8.04 LTS, Microsoft Windows XP: SP3, Sun OpenSolaris: build snv_64, Sun OpenSolaris: build snv_92, Sun OpenSolaris: build snv_13, Sun OpenSolaris: build snv_91, Sun OpenSolaris: build snv_22, Sun OpenSolaris: build snv_19, Novell OpenSUSE: 11.0, Novell SUSE Linux Enterprise Desktop: 10 SP2, Novell SUSE Linux Enterprise: 10 SP2 DEBUGINFO, Novell SLE SDK: 10 SP2, Novell SUSE Linux Enterprise Server: 10 SP2, Apple Mac OS X Server: 10.5.3, Apple Mac OS X: 10.5.3, Yukihiro Matsumoto Ruby: 1.9, Yukihiro Matsumoto Ruby: 1.8, Cisco IOS: 12.4MD, Cisco IOS: 12.4XL, Cisco IOS: 12.4XM, Cisco IOS: 12.4XN, Cisco IOS: 12.4XQ, Cisco IOS: 12.4XY, Cisco IOS: 12.4XZ, Cisco CNS Network Registrar: 6.1, Cisco CNS Network Registrar: 6.3, Cisco CNS Network Registrar: 7.0, Cisco Application and Content Networking Software: 5.5, Apple iPhone: 1.1.4, Apple iPod touch: 1.1.3, Apple iPod touch: 1.1.4, Sun OpenSolaris: build snv_01, Sun OpenSolaris: build snv_95, F5 FirePass: 5.5, F5 Enterprise Manager, F5 WANJet, BlueCoat ProxyRA, Thekelleys Dnsmasq: 2.43, ISC BIND: 9.2.9, BlueCat Networks Adonis: 4.1.0.43, BlueCat Networks Adonis: 5.0, BlueCat Networks Adonis: 5.1.0, BlueCat Networks Adonis: 5.1.1, Sun Solaris: 9 SPARC, CyberGuard Corporation CyberGuard TSP, CyberGuard Corporation CyberGuard Classic, Apple Mac OS X: 10.5.4, Apple Mac OS X Server: 10.5.4, Yamaha RT Series Routers: ja, Alcatel-Lucent VitalQIP, Apple iPhone: 2.0.2, Astaro Astaro Security Gateway: 6.0, Apple iPod touch: 2.0.2, Apple iPod touch: 2.0.1, Apple iPod touch: 2.0, Ingate Ingate Firewall: 4.6.2, Ingate Ingate SIParator: 4.6.2, Apple iPhone: 2.0, Apple iPhone: 2.0.1, Paul A. Rombouts pdnsd

Type

Protocol Signature

Vulnerability description

Multiple vendor DNS protocol implementations could allow a remote attacker to spoof DNS traffic. The DNS client service fails to provide an adequate amount of entropy when performing DNS queries. An attacker could exploit this vulnerability to spoof DNS traffic against certain recursive resolvers, which could allow the attacker to obtain sensitive information and redirect Internet traffic to any server of the attacker's choosing.

How to remove this vulnerability

For Microsoft Windows:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-037. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Microsoft Security Bulletin MS08-037
Vulnerabilities in DNS Could Allow Spoofing (953230)
http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

cisco-sa-20080708-dns
Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Sun Alert ID: 239392
Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1

Nominum Software Security Advisory NOM-20080708
Nominum Software Security Advisory
http://www.nominum.com/asset_upload_file741_2661.pdf

ISC Web site
CERT VU#800113 DNS Cache Poisoning Issue
http://www.isc.org/index.pl?/sw/bind/bind-security.php

Novell Security Alert Document ID: 7000912
Status of CVE-2008-1447 - Multiple DNS implementations vulnerable to cache poisoning
http://www.novell.com/support/viewContent.do?externalId=7000912

HPSBST02350 SSRT080102 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-037 to MS08-040
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01503743

NORTEL BULLETIN ID: 2008008958, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft July security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=745165

Blue Coat Security Advisory, 14 July 2008
DNS CACHE POISONING VULNERABILITY (CERT VU#800113)
http://www.bluecoat.com/support/security-advisories/dns_cache_poisoning

HPSBUX02351 SSRT080058 rev.2
HP-UX Running BIND, Remote DNS Cache Poisoning
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01506861

milw0rm.com [2008-07-23]
BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta)
http://milw0rm.com/exploits/6122

Full-Disclosure Mailing List, Wed Jul 23 2008 - 18:34:26 CDT
CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit
http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0410.html

milw0rm.com [2008-07-24]
BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (py)
http://milw0rm.com/exploits/6123

milw0rm.com [2008-07-25]
Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack
http://milw0rm.com/exploits/6130

TheKelleys.org Web page
Dnsmasq
http://www.thekelleys.org.uk/dnsmasq/doc.html

BlueCat Networks Web site
Adonis
http://www.bluecatnetworks.com/products/adonis-dns-dhcp-appliances/

Citrix Systems Web site
Citrix NetScaler
http://www.citrix.com/English/ps2/products/product.asp?contentID=21679

Secure Computing Corporation Web Site
Enterprise Security Products
http://www.securecomputing.com/index.cfm?skey=2

NetBSD Security Advisory 2008-009
BIND cache poisoning
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-009.txt.asc

NORTEL BULLETIN ID: 2008008989, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-037
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=751322

Apple Web site
About Security Update 2008-005
http://support.apple.com/kb/HT2647

HPSBUX02351 SSRT080058 rev.3
HP-UX Running BIND, Remote DNS Cache Poisoning
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01506861

Ruby Core SVN Repository
Ruby Core
http://www.ruby-lang.org/en/community/ruby-core/

Ruby Programming Language Web site
Multiple vulnerabilities in Ruby
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

Yamaha RT Series Routers Home page
Yamaha RT Series Routers
http://www.rtpro.yamaha.co.jp/

Alcatel-Lucent Security Advisory
Multiple DNS implementations vulnerable to cache poisoning
http://www1.alcatel-lucent.com/psirt/statements/2008003/DNScache.htm

NORTEL BULLETIN ID: 2008009038, Rev 1
Nortel Guidance for Multiple Vendor Fixes for BIND/DNS Cache Poison Vulnerability - CVE-2008-1447
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=762152

Astaro Web site
Up2Date 6.314 Released
http://up2date.astaro.com/2008/09/up2date_6314_released.html

CTX118183
Vulnerability in Access Gateway Standard and Advanced Edition Appliance firmware could result in DNS Cache Poisoning
http://support.citrix.com/article/CTX118183

inGate Web site
Release notice for Ingate Firewall 4.6.4 and Ingate SIParator 4.6.4
http://www.ingate.com/relnote-464.php

Apple Web site
About the security content of iPod touch v2.1
http://support.apple.com/kb/HT3026

pdnsd Web page
pdnsd Change Log, 2008-09-01
http://www.phys.uu.nl/~rombouts/pdnsd/ChangeLog

Apple Web site
About the security content of iPhone v2.1
http://support.apple.com/kb/HT3129

Apple Web site
About the security content of Mac OS X v10.5.5 and Security Update 2008-006
http://support.apple.com/kb/HT3137

Sun Alert ID: 245206
Security Vulnerability in Solaris IP Filter Network Address Translation (NAT) May Lead to DNS Cache Poisoning
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245206-1

ISS X-Force
Multiple vendor socket entropy DNS spoofing
http://www.iss.net/security_center/static/43334.php

CVE
CVE-2008-1447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447